The European Union’s data protection laws have seen tech giants come under increasing scrutiny. Here’s what you need to know
The European Union (EU) has shown a determination, although belatedly, to tackle the power of some of the most powerful (and profitable) corporations recently. Facebook’s parent company, Meta, was fined $18.6 million by the Irish Data Protection Commission (DPC) over a string of historical data breaches that affected up to 30 million Facebook users; Amazon was handed a massive fine of close to $900 million for allegedly violating the EU’s General Data Protection Regulation (GDPR), Google was fined $57 million by a French data privacy watchdog after finding that the “advertising targeting on its Android operating system does not comply” with the GDPR.
Tech giants are increasingly coming under the scrutiny of regulators. Although the penalties are relatively small, as these tech giants’ global annual turnover is well over billions of dollars, it’s pretty clear that security breaches and flagrant rule violations are attracting penalties and are not swept under the rug.
For years, there have been complaints coming across the continent, such as Sweden’s Spotify saying Apple’s app store fees give Apple Music an unfair advantage and German cloud provider NextCloud branding Microsoft OneDrive cloud storage service as anti-competitive. To address the problem, in March, the EU introduced the Digital Markets Act, a new set of regulations that aims to rein in some of the business activities of those companies in Europe. It is considered the most sweeping digital policy to regulate tech since GDPR was passed in 2018.
The DMA is aimed at stopping the large tech platforms from using their interlocking services and considerable resources to box in users and squash rivals, thus creating room for new entrants and more competition For example, DMA will require Apple to let iPhone users download apps from rival app stores, and WhatsApp will have to allow people to use its app to communicate with others using rival messengers. If the tech companies violate, they could face fines of up to 20% of their global turnover. Moreover, the European Commission will also be able to impose a ban on mergers.
Meanwhile, as more devices generate data used for control and monitoring, such as in smart homes and factories, the European Union is proposing legislation, a bill called the Data Act, that would force more data sharing among companies in Europe.
“The Data Act will ensure that industrial data is shared, stored, and processed in full respect of European rules,” said Thierry Breton, European Commissioner for the internal market. Focused on non-personal data, the Data Act aims to help open up more of a marketplace for data by forcing companies to strike data-sharing deals that allow consumers to choose between competing service providers when using connected devices.
In the EU, the Cambridge Analytica scandal pushed lawmakers and regulators to dial up their scrutiny of tech giants’ handling of people’s information, which ultimately accelerated moves to overhaul regulation of digital platforms such as the UK’s Online Safety legislation and the EU’s Digital Services Act.
Last year, Vera Jourová, the EU’s commissioner for values and transparency, warned Google and Facebook over “legal tricks”, and made it clear that the EU is ready to intervene over weak enforcement of GDPR. Jourová said the tech giants must take the protection of personal data “seriously”.
This remark is a step up on the approach to GDPR enforcement. While GDPR has attracted international attention, as countries grapple with how to protect people in an age of data-mining giants, the law decentralizes oversight of these rules and rights to supervisory agencies at the EU member state level. It enables a get-out clause for tech giants to get a regulator of their choice.
In February, the Belgian Data Protection Authority (the BDPA) fined Interactive Advertising Bureau (IAB) Europe $272,512 for various infringements in relation to the transparency and consent framework. The IAB Europe’s Transparency and Consent Framework (TCF) was created to help publishers and advertisers comply with the GDPR. The DPA ruling has given IAB Europe two months to propose changes and six months to put them in place.
Although the fine was relatively minor in GDPR terms, the decision will likely have wide-reaching implications for IAB, a data controller, and for the majority of players in the online Adtech ecosystem who rely on the framework.
This ruling would have ripple effects across Europe because of the widespread use of TCF across the Adtech ecosystem, which is dictated heavily by Google’s participation in TCF. Privacy advocates see this ruling as a step toward stronger consumer data protections for Europeans. It is likely now that the Adtech industry might be forced to rethink its GDPR compliance.
Whether these new rules and regulations are strong enough to stop the anti-competitive behavior and data breaches will depend on how effectively they are implemented, and it will take time to show the real results. Nonetheless, they are potentially transformative, and could offer a preview of what’s to come elsewhere in the world.